In the digital world, it's a given that your business will eventually be targeted by a cyberattack regardless of size. Threats ranging from malware, distributed denial of service, and man-in-the-middle attacks are commonplace, but you can be prepared and implement a set of best practices to insulate yourself. But even the most thorough preparation can be undermined by an unsuspecting employee or an unforeseen vulnerability. You can never be absolutely certain your system won't be compromised, which risks your finances, your reputation, and your customer's privacy.
Luckily there is cyber liability insurance to hedge your cybersecurity bets. Unfortunately, 74 percent of small businesses do not maintain a cyber liability insurance policy, according to a survey of Manta members conducted by Insureon. Many entrepreneurs feel unconcerned, and 85 percent of respondents said they'd never experienced a data breach. Still, 77 percent have taken some steps to protect their business, which is promising.
Still, when businesses that experience a data breach are cost between $36,000 and $50,000 on average, it doesn't hurt to have a safety net like cyber libaility insurance. Nailing down cyber risk is still a moving target, and the industry is learning and adapting. While businesses can use cyber liability insurance to limit their exposure, it's not a cure all; nothing is a suitable replacement for best cybersecurity practices and tight security protocols.
In this article ...
- What threats are out there?
- Mitigating the risk of a cyberattack
- Assigning the risk of a cyberattack
Business News Daily spoke with IT experts Senthil Rajamanickam, the FSI operations manager for data company Infogix, and Keith Barker, the founder of the "Certified Ethical Hacker" training course, about the growing reality of cyberattacks and how to mitigate the risks posed by malicious hackers.
What threats are out there?
Before you can begin to protect yourself, it's important to understand the threats that exist. Barker created his training course to do exactly that. Breaking down the basics of the most common techniques employed by hackers, the course is designed to help IT professionals anticipate and evade such attacks. By teaching about these threats from the ground up, Barker hopes to demonstrate to IT pros and entrepreneurs the nature of the myriad attacks that could be used against their systems.
"There are a lot of scary things in this course," Barker told Business News Daily. "The objective is shock, to wake people up to the kinds of things that are out there."
Two of the largest threats facing businesses, he said, are people being tricked into unwittingly opening the door for a malicious attack, and malware, which is any form of hostile or intrusive software that seeks to leverage your system for a nefarious purpose. In addition to those common attacks, Barker included distributed denial of service attacks, which flood a server with requests to overload it and temporarily shut down the system, and hijacking, or redirecting traffic by altering a system's DNS servers.
Still, that hardly scratches the surface of what's out there, and for a small IT team with a heavy workload, some of these threats can be easily overlooked, he said.
"Especially for a small business that doesn't have a huge IT staff or any specialists, one- or two-people teams are perhaps so busy they might not have time to step back and say, 'Okay, what are we forgetting here?'" Barker said.
Mitigating the risk of a cyberattack
Once you've identified some of the most likely threats, you can mitigate the risks to your systems. Large companies heavily divert resources to this kind of protection and risk analysis, but small businesses are often unable to do so, Barker said.
"Huge companies spend millions and millions of dollars on [cybersecurity]," he said. "Small companies might just spend the money [necessary] to keep their systems functional."
But by identifying the biggest risks to your business and insulating them as much as possible, he said, you can help reduce the likelihood of an attack causing immense damage to your assets and reputation.
"If one server means a lot for revenue or the company, for example, that's a great server to help protect," Barker said. "You might move it to the cloud and use cloud security, which really just means someone else is doing it for you. That's why so many small companies are using cloud services, because they can be compliant with all these check boxes they need without internal staff."
Rajamanickam said small businesses can also institute a series of measures like firewalls, scans for threats and setting up the router process to make attacks more difficult. Unfortunately, he added, "there's not really much else you can do."
"These types of attacks are going to be there and [be] difficult to prevent," Rajamanickam said. "Federal regulators are encouraging information-sharing on cyberattacks, which will help [businesses] be ready for these attacks, but it still won't prevent it."
Assigning the risk of a cyberattack
The uncomfortable knowledge that an attack can still get through despite preventative measures might leave you feeling uneasy. The rise of cybersecurity insurance is a response to exactly that concern.
"Cyberattacks really pose a big challenge for [businesses] to offset that type of risk," Rajamanickam said. "The natural thing to do is to go and look at cybersecurity insurance. It's not going to completely remove the risk, but it will transfer some of the risk to the insurance company."
However, even cybersecurity insurance is extremely limited, and only a fraction of the real risk can be shifted off your books, because there's no reliable method to quantify the risks. After all, what is the total sum of your business's data actually worth? The biggest cybersecurity insurers still don't have access to all the information they require to confidently accept larger portions of cyber-related risks. Without really knowing what risk they're accepting, the insurance companies could be opening themselves up to massive losses, and so they remain hesitant to accept more risks.
"There is no way for you to monetize the data you hold into a dollar value. It's still simply not there," Rajamanickam said. For example, "Uber could potentially be a market cap of multiple billions of dollars very quickly, but the maximum underwriting only protects hundreds of millions [of dollars' worth] of the data. An attack could cause much more damage than what insurance could cover.
"Most insurance companies are focused on helping you redo your network [and] replace or upgrade hardware, and so it's limited," he added.
Rajamanickam described the rise of a new industry known as "infonomics," which treats data as an asset and determines how best to assign a dollar value to it. As that industry grows, he said, the insurance companies might have a more reliable way to contemplate the risk of cyberattacks. But until then, businesses will remain open to at least a significant portion of the risk, he said.
"They're trying to help businesses figure out what could be the dollar value for the data, which the cybersecurity insurance industry could use to better underwrite the insurance risk," he said. "But the insurance body for cybersecurity is still a work in progress."
Some source interviews were conducted for a previous version of this article.